Subscribe to our Threatpost Today newsletter

Join thousands of people who receive the latest breaking cybersecurity news every day.

The administrator of your personal data will be Threatpost, Inc., 500 Unicorn Park, Woburn, MA 01801. Detailed information on the processing of personal data can be found in the privacy policy. In addition, you will find them in the message confirming the subscription to the newsletter.

*

*

I agree to my personal data being stored and used to receive the newsletter

*

I agree to accept information and occasional commercial offers from Threatpost partners

The administrator of your personal data will be Threatpost, Inc., 500 Unicorn Park, Woburn, MA 01801. Detailed information on the processing of personal data can be found in the privacy policy. In addition, you will find them in the message confirming the subscription to the newsletter.

Volume of Malware Targeting Java CVE-2012-1723 Flaw Spikes

It’s been nearly two months since Oracle patched the CVE-2012-1723 Java vulnerability, a serious remote pre-authentication flaw that’s present in the Java Runtime Environment. It’s taken a little time, but the attacker community has decided that this bug deserves some serious attention, and as a result, attacks trying to exploit it have ramped up significantly in recent weeks.

It’s been nearly two months since Oracle patched the CVE-2012-1723 Java vulnerability, a serious remote pre-authentication flaw that’s present in the Java Runtime Environment. It’s taken a little time, but the attacker community has decided that this bug deserves some serious attention, and as a result, attacks trying to exploit it have ramped up significantly in recent weeks.

The first malware samples that were exploiting this vulnerability started appearing about a month ago, but it was just in dribs and drabs. But by the second week of July, the number of attacks on CVE-2012-1723 began to take off dramatically. Microsoft researchers compiled statistics that show the volume of malware targeting the Java flaw really took off around July 10, and, with some peaks and valleys in the interim, is still quite high now.

The vulnerability itself is in a JRE sub-component called Hotspot and attackers who are able to exploit it will have the ability to execute arbitrary code on the target machine.

“The issue is in the optimization performed when a field inside the class is accessed. A static field with a ClassLoader orObject type and bunch of instance-fields with custom data type is a strong indication of exploitation. A bunch of instance-fields are a buffer area where a type-confused object is retrieved,” Jeong Wook Oh of the Microsoft Malware Protection Center said in an analysis of the attacks.

An oddity with this vulnerability is that attackers don’t have the ability to disguise what they’re doing with their exploits in this case. Oh said that because attackers need to build a Java class with some specific attributes, it’s relatively easy for analysts to see what’s going on.

“Java-based malware could use a Java-reflection feature to obfuscate vulnerable class and methods loading code when the vulnerability is inside specific class and methods — for example, CVE-2012-0507 was related toAtomicReferenceArray class. The loading of AtomicReferenceArray class itself can be obfuscated and you can’t easily tell whether it is loading the specific class at all just by looking into the Java code. This makes the whole malware analysis process more time-consuming,” Oh said.

“For this vulnerability, attackers can’t obfuscate the core exploit part easily. As we explained with Figure 3, the attackers need to create a class with specific features like static field member with ClassLoader type or Objecttype. And bunch of instance fields follows. It has specific code pieces to run which looks like the code shown in Figure 4. Java doesn’t provide ways to obfuscate this class structure itself, so the code pattern stands out. You can easily identify the pattern just by statically investigating the code.”

Authors

Threatpost

InfoSec Insider Post

InfoSec Insider content is written by a trusted community of Threatpost cybersecurity subject matter experts. Each contribution has a goal of bringing a unique voice to important cybersecurity topics. Content strives to be of the highest quality, objective and non-commercial.

Sponsored

Sponsored Post

Sponsored Content is paid for by an advertiser. Sponsored content is written and edited by members of our sponsor community. This content creates an opportunity for a sponsor to provide insight and commentary from their point-of-view directly to the Threatpost audience. The Threatpost editorial team does not participate in the writing or editing of Sponsored Content.